Abstract: Security of an information system based on Web is studied. The methods of making use of the security settings provided by the operating system, Web server and database management system efficiently and suitably to ensure security of the information system are discussed. The application software is flexible, and can compensate for the security limitations of the operating system, Web server and database management system. Taking the information system of a certain organization as an example, its security is discussed from the viewpoint of operating system, Web server, database management system and application. Advises are also given.